AWS Import-image User does not have access to the S3 object

Question

When running the AWS (Amazon Web Services) import-image task:

aws ec2 import-image --description "My OVA" --disk-containers file://c:\TEMP\containers.json

I get the following error:

An error occurred (InvalidParameter) when calling the ImportImage operation: User does not have access to the S3 object.(mys3bucket/vms/myOVA.ova)

I followed all of the instructions in this AWS document on importing a VM (including Steps 1, 2, and 3). Specifically, I setup a vmimport role and the recommended policies for the role. What am I doing wrong?

Answer 1

I finally figured this out. The problem was my IAM user, that contains the vmimport role, did not have access to my S3 bucket. Once I granted my IAM user access to my S3 bucket (by setting a bucket policy in S3), the import-image command kicked off the process successfully.

To set the bucket policy in S3, right-click on your bucket (i.e. the top level bucket name in S3), then click "Properties". Then from the right-hand menu that gets displayed, open "Permissions", and click "Add bucket policy". A small window will come up where you can put in JSON for a policy. Here is the one that worked for me:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "Stmt1476979061000",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::MY-AWS-account-ID:user/myIAMuserID"
        },
        "Action": "s3:*",
        "Resource": [
            "arn:aws:s3:::mys3bucket",
            "arn:aws:s3:::mys3bucket/*"
        ]
    }
]}

You'll need to replace "MY-AWS-account-ID" with your AWS Account ID, and "myIAMuserID" with your IAM user ID that contains the vmimport role. This document talks about how to get your AWS Account ID. And this document talks more about granting permissions in S3.

Answer 2

I had the same error message except the message did not specify the name of the s3 object. In my containers.json file I had to use the bucket name instead of the full arn. As in instead of arn:aws:s3:::mybucketname I just use mybucketname. this works...

[
   {
    "Description": "VM Simulator",
    "Format": "vmdk",
    "UserBucket": {
        "S3Bucket": "mybucketname",
        "S3Key": "vmdisks/vmSimulator.vmdk"
    }
  }
]

this fails...

[
   {
    "Description": "Qtof Simulator",
    "Format": "vmdk",
    "UserBucket": {
        "S3Bucket": "arn:aws:s3:::mybucketname",
        "S3Key": "vmdisks/vmSimulator.vmdk"
    }
  }
]

with the message... An error occurred (InvalidParameter) when calling the ImportImage operation: User does not have access to the S3 object